The WSJ then went to MasterCard, who told them (accurately) that multiple layers of security are available to prevent MasterCard data from being stolen by electronic eavesdropping. They quote Art Kranzley, EVP of New Payment Technologies: “It is up to the companies that issue the card to decide which security measures to adopt… Customers who don’t want RFID in their PayPass payment cards can ask to be issued an old-fashioned chipless card”.
Despite the fact that this is a payment product with lots of security, that customers don’t have to have it and that Chase (with 7 million cards issued) say they haven’t seen any fraud, the WSJ — apparently oblivious to the fact that the ISO 14443 13.56MHz short-range PayPass interface is not the same as the EPC Class 1 915MHz long-range interface used to read retail tags, that retail tags are meant to be “open” so that anyone can read the electronic barcode, that retail tags don’t contain microprocessors and that there is no cryptography in retail tags — uncritically quotes a variety of anti-RFID sources, including the Campaign Against Supermarket Privacy Invasion and Numbering (CASPIAN),
CASPIAN is run by Katherine Albrecht. I can’t see how the payments industry can placate her with spreadsheets, diagrams or anything else because she thinks that RFID chips are the Mark of the Beast from the Book of Revelation. At the beginning of a video called “The Mark of the Beast, 666: a prophesy from 2000 years ago,” from Endtime Ministries she asks “How many people (know that) technological developments of the last 10 to 20 years could be combining to make the Mark of the Beast a reality, and possibly even in our lifetimes?”
Now, whether you agree with her or not isn’t the point. Personally, I don’t, but whatever. If merchants want to record some unique biometric characteristic of shoppers (by, for example, looking at them) or would prefer shoppers to pay with something quick (a contactless debit card, for example) rather than rooting around for change, then it’s up to them. If you don’t like Tesco’s loyalty card programme, then don’t go there.
But what to do in the payments industry? What messages should we project to the media and to consumers? How can we separate consumers entirely reasonable concerns about RFID (concerns exacerbated by a lack of attention to the consumer perspective) from the different issues around contactless payments? I have a three point plan:
1. We have to stop people from referring to contactless payments cards, and contactless passports for that matter, as RFID. RFID is about tags on cans of beans. Henceforth, I will never, ever say “RFID payments” again. They are contactless, contactless, contactless payments.
2. We should tell people what security there is in contactless payment systems and how it works. The era of security through obscurity is gone.
3. Issuers should include better information about contactless and how it works (from a consumer perspective) with the new contactless cards. A consistent, and valid, complaint from consumers is that they don’t understand how contactless payment cards work. Surely this could be addressed in the mailer.